dACL with static IP configuration

Florian Brenner · ‎09-11-2013

Hi,
I want to restrict client communication based on dACLs for some Endpoint-Groups with MAB. Most of the clients are configured with DHCP, for these clients everything working fine. But there are also clients with static IP configuration and here is the problem. ISE does not know the ip address of the static configured client, so the 'source any' statement of the dACL can not be replaced with the client IP.
How is it possible to let ISE learn the static addresses and get this working?
ISE is on v1.2, IOS on switch is on 15.02.SE1
Thanks, Florian

aqjaved · ‎09-12-2013

Inline Posture uses RADIUS proxy and URL redirect capabilities in the control plane to manage data plane traffic for endpoints. As a RADIUS proxy, Inline Posture is able to tap into RADIUS sessions between network access devices (NADs) and RADIUS servers. NADs can open full gate to client traffic. However, Inline Posture opens only enough to allow limited traffic from clients. The restricted bandwidth allows clients the ability to have an agent provisioned, have posture assessed, and have remediation done. This restriction is accomplished by downloading and installing DACLs that are tailored for specific client flow.

Please check the below link which can helpful in making decision about licensing:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_ipep_deploy.html

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf

Muhammad Munir · ‎09-12-2013

Hi

To start the process where you can display, create, modify, or delete policy element permissions for downloadable ACLs (DACLs), you need to locate its navigation pane in the Cisco ISE user interface. To do this, choose Policy > Policy Elements > Results > Authorization to display the Authorization navigation pane.

The Authorization navigation pane initially displays:

•Authorization Profiles

•Downloadable ACLs

•Inline Posture Node Profiles

For more information please go through this link:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wpxref16076

Peter Koltl · ‎09-15-2013

Fixed IP shouldn't be an issue as the switch detects client IP by looking into the packets. Assuming you applied the

ip device-tracking

command. You can check the client IP address by

show authen session int Fa0/x

blenka · ‎09-16-2013

I am not very much sure but can you try this and check (instead of any any just giving your network address)

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html

Define Local (Default) ACLs on the Switch

Enable these functions on older switches (with IOS releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic ACL updates required for authentication and authorization.

ip access-list extended ACL-ALLOW

 permit ip any any

ip access-list extended ACL-DEFAULT

  remark DHCP

  permit udp any eq bootpc any eq bootps

  remark DNS

  permit udp any any eq domain

  remark Ping

  permit icmp any any

  remark Ping

  permit icmp any any

  remark PXE / TFTP

  permit udp any any eq tftp

  remark Allow HTTP/S to ISE and WebAuth portal

  permit tcp any host <Cisco_ISE_IP_address> eq www

  permit tcp any host <Cisco_ISE_IP_address> eq 443

  permit tcp any host <Cisco_ISE_IP_address> eq 8443

  remark Drop all the rest

  deny   ip any any log

! The ACL to allow URL-redirection for WebAuth

ip access-list extended ACL-WEBAUTH-REDIRECT

 deny   ip any host <Cisco_ISE_IP_address>

 permit ip any any